top of page
Search

Understanding De-Identification of PHI Under HIPAA: Methods Best Practices and Insights

Protecting patient privacy remains a critical priority in healthcare. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule sets standards to safeguard Protected Health Information (PHI). One key approach to maintaining privacy while enabling data use is de-identification. This post explores what de-identification means, the two main methods allowed under HIPAA, insights from the Office for Civil Rights (OCR), and key takeaways from the 2010 workshop on de-identification. The goal is to provide clear guidance for covered entities and business associates handling PHI.



De-Identification of PHI
De-Identification of PHI


What Is De-Identification and Why It Matters | De-Identification of PHI


De-identification is the process of removing or obscuring personal identifiers from health information so that the data cannot be linked back to an individual. This allows healthcare organizations, researchers, and others to use health data for analysis, research, and public health purposes without compromising patient privacy.


The significance of de-identification lies in balancing two needs:


  • Protecting patient privacy by preventing unauthorized identification.

  • Enabling data use for improving healthcare outcomes, policy making, and innovation.


Under HIPAA, once PHI is de-identified according to the Privacy Rule standards, it is no longer subject to HIPAA restrictions. This means organizations can share and use the data more freely, reducing compliance burdens while maintaining trust.



Two Primary Methods for De-Identification Under HIPAA | De-Identification of PHI


HIPAA outlines two official methods for de-identifying PHI: Expert Determination and Safe Harbor. Each method offers a different approach to ensuring data cannot be traced back to individuals.


Expert Determination Method


This method requires a qualified expert to apply statistical or scientific principles to determine that the risk of re-identifying individuals is very small. The expert must document the methods and results.


Key points about Expert Determination:


  • The expert uses formal analysis to assess re-identification risk.

  • The process is flexible and can adapt to new technologies or data types.

  • It requires specialized knowledge and may involve cost and time.

  • The expert’s opinion and documentation provide legal assurance of de-identification.


This method suits organizations handling complex datasets or when Safe Harbor removal of identifiers would overly limit data usefulness.


Safe Harbor Method


Safe Harbor is a more straightforward approach. It requires removing 18 specific identifiers related to the individual or their relatives, employers, or household. These identifiers include:


  • Names

  • Geographic subdivisions smaller than a state (except first three digits of ZIP code under certain conditions)

  • All elements of dates (except year) directly related to an individual

  • Telephone numbers, fax numbers, email addresses

  • Social Security numbers, medical record numbers, health plan beneficiary numbers

  • Account numbers, certificate/license numbers

  • Vehicle identifiers and serial numbers

  • Device identifiers and serial numbers

  • Web URLs, IP addresses

  • Biometric identifiers (fingerprints, voiceprints)

  • Full-face photographs and comparable images

  • Any other unique identifying number, characteristic, or code


Once these identifiers are removed, and the covered entity has no actual knowledge that the remaining information could identify an individual, the data is considered de-identified.


Safe Harbor is easier to implement but may reduce data utility because of the broad removal of identifiers.



Insights from the Office for Civil Rights (OCR) | De-Identification of PHI


The OCR enforces HIPAA and provides guidance on de-identification best practices. Some key insights include:


  • Risk-based approach: OCR encourages covered entities to assess the risk of re-identification carefully, especially when using Expert Determination.

  • Documentation: Maintaining thorough documentation of the de-identification process is essential for compliance and audits.

  • Re-identification risk: OCR warns that de-identified data can still pose risks if combined with other data sources. Entities should consider the context and potential data linkages.

  • Ongoing review: De-identification is not a one-time task. Entities should periodically review methods and data as technology and data environments evolve.

  • Training and policies: Staff involved in de-identification should receive training, and organizations should have clear policies to ensure consistent application.


OCR also highlights that de-identified data is not subject to HIPAA, but entities should still consider ethical and contractual obligations.



Key Points from the 2010 Workshop on De-Identification | De-Identification of PHI


In 2010, the Department of Health and Human Services (HHS) held a workshop to discuss challenges and advances in de-identification. The workshop brought together experts from academia, industry, and government.


Important takeaways include:


  • Balancing privacy and data utility: Removing identifiers can limit the usefulness of data. Techniques like data masking, generalization, and perturbation can help maintain utility while protecting privacy.

  • Advances in technology: New methods such as machine learning and synthetic data generation show promise for improving de-identification.

  • Need for standards: Participants emphasized the importance of clear, consistent standards and guidance to help organizations apply de-identification effectively.

  • Risk assessment tools: Developing practical tools for measuring re-identification risk can support better decision-making.

  • Collaboration: Ongoing collaboration between regulators, researchers, and industry is vital to address emerging privacy challenges.


The workshop reinforced that de-identification is a dynamic field requiring continuous attention.



Practical Guidance for Covered Entities and Business Associates | De-Identification of PHI


Organizations handling PHI should follow these steps to ensure proper de-identification:


  • Choose the right method: Use Safe Harbor for straightforward cases or Expert Determination when data complexity requires a tailored approach.

  • Engage qualified experts: For Expert Determination, work with professionals experienced in statistical privacy methods.

  • Document thoroughly: Keep records of the de-identification process, decisions, and expert opinions.

  • Train staff: Ensure everyone involved understands HIPAA requirements and de-identification techniques.

  • Review regularly: Update de-identification practices as new risks or technologies emerge.

  • Consider data use: Align de-identification with the intended use of data to maintain its value.

  • Consult OCR guidance: Refer to official OCR resources and FAQs for the latest recommendations.


By following these steps, covered entities and business associates can protect patient privacy while enabling valuable data use.



Resources for Further Reading | De-Identification of PHI


For those seeking more information on de-identification under HIPAA, the following resources are helpful:


  • HIPAA Privacy Rule and De-Identification

U.S. Department of Health and Human Services (HHS)

https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html


  • OCR Guidance on De-Identification

Office for Civil Rights, HHS

https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html


  • 2010 HHS Workshop on De-Identification

Workshop summary and presentations

https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/2010-workshop/index.html


  • NIST De-Identification Framework

National Institute of Standards and Technology

https://www.nist.gov/publications/de-identification-framework


bottom of page